From 5d9f45a6a15023c695ddb3622be5e44b8d31c10e Mon Sep 17 00:00:00 2001
From: Simon Brandhof <simon.brandhof@sonarsource.com>
Date: Wed, 16 Nov 2016 17:20:07 +0100
Subject: [PATCH] SONAR-8177 do not display messages of internal errors

---
 .../main/java/org/sonar/server/ws/WebServiceEngine.java   | 4 +++-
 .../java/org/sonar/server/ws/WebServiceEngineTest.java    | 8 ++++----
 .../src/main/resources/org/sonar/l10n/core.properties     | 1 +
 3 files changed, 8 insertions(+), 5 deletions(-)

diff --git a/server/sonar-server/src/main/java/org/sonar/server/ws/WebServiceEngine.java b/server/sonar-server/src/main/java/org/sonar/server/ws/WebServiceEngine.java
index 85699bad2b8..889ba49b7f9 100644
--- a/server/sonar-server/src/main/java/org/sonar/server/ws/WebServiceEngine.java
+++ b/server/sonar-server/src/main/java/org/sonar/server/ws/WebServiceEngine.java
@@ -120,7 +120,9 @@ public class WebServiceEngine implements LocalConnector, Startable {
         return;
       }
       LOGGER.error("Fail to process request " + request, e);
-      sendErrors(response, 500, new Errors().add(Message.of(e.getMessage())));
+      // Sending exception message into response is a vulnerability. Error must be
+      // displayed only in logs.
+      sendErrors(response, 500, new Errors().add(Message.of("error_occurred")));
     }
   }
 
diff --git a/server/sonar-server/src/test/java/org/sonar/server/ws/WebServiceEngineTest.java b/server/sonar-server/src/test/java/org/sonar/server/ws/WebServiceEngineTest.java
index a5a0c1b0cca..b1eaf0ecb82 100644
--- a/server/sonar-server/src/test/java/org/sonar/server/ws/WebServiceEngineTest.java
+++ b/server/sonar-server/src/test/java/org/sonar/server/ws/WebServiceEngineTest.java
@@ -54,9 +54,8 @@ public class WebServiceEngineTest {
   @Rule
   public UserSessionRule userSessionRule = UserSessionRule.standalone();
 
-  I18n i18n = mock(I18n.class);
-
-  WebServiceEngine underTest = new WebServiceEngine(new WebService[] {new SystemWs()}, i18n, userSessionRule);
+  private I18n i18n = mock(I18n.class);
+  private WebServiceEngine underTest = new WebServiceEngine(new WebService[] {new SystemWs()}, i18n, userSessionRule);
 
   @Before
   public void start() {
@@ -223,9 +222,10 @@ public class WebServiceEngineTest {
     DumbResponse response = new DumbResponse();
     underTest.execute(request, response);
 
-    assertThat(response.stream().outputAsString()).isEqualTo("{\"errors\":[{\"msg\":\"Unexpected\"}]}");
+    assertThat(response.stream().outputAsString()).isEqualTo("{\"errors\":[{\"msg\":\"error_occurred\"}]}");
     assertThat(response.stream().status()).isEqualTo(500);
     assertThat(response.stream().mediaType()).isEqualTo(MediaTypes.JSON);
+    assertThat(logTester.logs(LoggerLevel.ERROR)).filteredOn(l -> l.contains("Fail to process request")).isNotEmpty();
   }
 
   @Test
diff --git a/sonar-core/src/main/resources/org/sonar/l10n/core.properties b/sonar-core/src/main/resources/org/sonar/l10n/core.properties
index ec2c18ff9fe..87160476114 100644
--- a/sonar-core/src/main/resources/org/sonar/l10n/core.properties
+++ b/sonar-core/src/main/resources/org/sonar/l10n/core.properties
@@ -220,6 +220,7 @@ check_project=Check project
 coding_rules=Rules
 click_to_add_to_favorites=Click to add to favorites
 click_to_remove_from_favorites=Click to remove from favorites
+error_occurred=An error has occurred. Please contact your administrator.
 contact_admin=Please contact your administrator.
 created_by=Created by
 deactivate_all=Deactivate all
-- 
2.39.5